Resolving dynamic reference in EC2 user data cloudformation template

Question

I have a cloudformation template that creates an EC2 launch template.

In the UserData section of the template I need to fetch a SSM secure parameter and expose it as an environment variable to initialise my VM. I am trying to use !Sub but my output is not what I expect. Here's my sample code:

  TestJenkinsMasterLaunchTemplate:
    Type: 'AWS::EC2::LaunchTemplate'
        UserData:
          Fn::Base64: !Sub
            - | 
              #!/bin/bash
              echo ${azure_client_id}
            - azure_client_id: '{{resolve:ssm-secure:/Jenkins/Production/AzureAdClientId:1}}'

The output in the /var/log/cloud-init-output.log file is the template itself: {{resolve:ssm-secure:/Jenkins/Production/AzureAdClientId:1}} .

How can I resolve the SSM parameter properly?

Answer 1

Use the AWS CLI :

azure_client_id=$(aws --region=us-east-1 ssm get-parameter --name "azure_client_id" --with-decryption --output text --query Parameter.Value

Make sure you: define the userdata as a bash shell script, install aws cli, and make sure the instance role has the correct policies.

Example user data script:

#!/bin/bash
apt-get install -y awscli
export AWS_ACCESS_KEY_ID=your_access_key_id_here
export AWS_SECRET_ACCESS_KEY=your_secret_access_key_here
azure_client_id=$(aws --region=us-east-1 ssm get-parameter --name "azure_client_id" --with-decryption --output text --query Parameter.Value

Use that user data script in your cloud formation template.

See https://docs.aws.amazon.com/cli/latest/reference/ssm/get-parameter.html